← Legacy view v2 (rp.*)

agentsmesh/agentsmesh

https://github.com/AgentsMesh/AgentsMesh · lang: go · LOC: · source: both

Quality
88.3
Grade A-
Security
100.0
Findings
258
4 critical · 75 high
Status
completed
May 31, 2026 01:23
high: 75 medium: 62 info: 59 low: 58 critical: 4
Top rules by occurrence
RuleSeverityCount
AIC003 Duplicated implementation block across source files low 30
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) high 25
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… medium 10
JRN003 Frontend API reference is not matched by discovered backend… medium 10
AUC003 [AUC003] Object-level route lacks visible authorization: A … high 10
AUC004 [AUC004] Admin route does not show super_admin separation: … medium 10
DKR002 Dockerfile base image has no explicit tag medium 8
JRN009 Secret-like setting is echoed into a password input value high 7
DKC010 Compose service lacks no-new-privileges hardening low 7
AIC002 Source file name looks like an AI patch artifact low 7
First 200 findings (severity-sorted)
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/internal/relay_routes.go:50 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/internal/relay_routes.go:51 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/v1/routes_ext.go:63 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/v1/routes_ext.go:64 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/v1/routes_ext.go:70 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/v1/routes_ext.go:71 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/v1/routes_ext.go:88 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/v1/routes_ext.go:90 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/v1/routes_ext.go:100 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/rest/v1/runners_grpc.go:221 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high DKC011 Database service publishes a host port
deploy/dev/docker-compose.yml:33 · conf 0.84 
Database service publishes a host port
high DKC011 Database service publishes a host port
deploy/dev/docker-compose.yml:48 · conf 0.84 
Database service publishes a host port
high DKC011 Database service publishes a host port
deploy/onpremise/docker-compose.yml:39 · conf 0.84 
Database service publishes a host port
high DKC011 Database service publishes a host port
deploy/onpremise/docker-compose.yml:56 · conf 0.84 
Database service publishes a host port
high DKC011 Database service publishes a host port
deploy/selfhost/docker-compose.yml:52 · conf 0.84 
Database service publishes a host port
high JRN009 Secret-like setting is echoed into a password input value
clients/desktop/src/renderer/pages/auth/login/LoginPage.tsx:162 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
clients/desktop/src/renderer/pages/auth/register/RegisterPage.tsx:154 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
clients/desktop/src/renderer/pages/auth/reset-password/ResetPasswordPage.tsx:178 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
clients/web-admin/src/app/login/page.tsx:82 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
clients/web/src/app/(auth)/login/page.tsx:166 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
clients/web/src/app/(auth)/register/page.tsx:122 · conf 0.83 
Secret-like setting is echoed into a password input value
medium AGT015 Remote install command pipes network code directly to a shell
clients/desktop/src/renderer/pages/auth/onboarding/setup-runner/local/components/SetupSteps.tsx:89 · conf 0.70 
Remote install command pipes network code directly to a shell
medium AGT015 Remote install command pipes network code directly to a shell
clients/web/src/app/(auth)/onboarding/setup-runner/local/components/SetupSteps.tsx:89 · conf 0.70 
Remote install command pipes network code directly to a shell
medium AGT015 Remote install command pipes network code directly to a shell
clients/web/src/app/docs/getting-started/page.tsx:75 · conf 0.70 
Remote install command pipes network code directly to a shell
medium AGT015 Remote install command pipes network code directly to a shell
clients/web/src/app/docs/tutorials/runner-setup/_sections/UpdateMethods.tsx:36 · conf 0.70 
Remote install command pipes network code directly to a shell
medium AGT015 Remote install command pipes network code directly to a shell
README.md:63 · conf 0.70 
Remote install command pipes network code directly to a shell
medium AIC001 Parallel implementation file sits beside a canonical file
backend/internal/api/connect/repository/repository_update.go:1 · conf 0.82 
Parallel implementation file sits beside a canonical file
medium AIC001 Parallel implementation file sits beside a canonical file
backend/internal/api/connect/ticket/ticket_update.go:1 · conf 0.82 
Parallel implementation file sits beside a canonical file
medium AIC001 Parallel implementation file sits beside a canonical file
backend/internal/service/loop/loop_service_update.go:1 · conf 0.82 
Parallel implementation file sits beside a canonical file
medium AIC001 Parallel implementation file sits beside a canonical file
runner/internal/updater/updater_backup.go:1 · conf 0.82 
Parallel implementation file sits beside a canonical file
medium AIC004 Suspicious implementation file appears unreferenced
backend/internal/service/loop/loop_service_update.go:1 · conf 0.78 
Suspicious implementation file appears unreferenced
medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
· conf 0.92 
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
· conf 0.74 
[AUC002] Low visible authorization coverage in route inventory: Only 33.9% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/connect/admin/handlers_relays.go:113 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/connect/admin/handlers_users_actions.go:37 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/connect/admin/handlers_users_actions.go:60 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/connect/admin/handlers_users_actions.go:83 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/connect/admin/handlers_users_actions.go:106 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/connect/admin/handlers_users_actions.go:129 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/api/connect/admin/handlers_users_actions.go:152 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/middleware/admin.go:13 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/middleware/admin.go:43 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
backend/internal/middleware/admin.go:52 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
backend/internal/api/connect/auth/auth_password.go:145 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
backend/internal/api/connect/interceptors/auth.go:74 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
backend/internal/api/connect/promocode/promocode_handlers.go:70 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
backend/internal/api/rest/internal/relay_routes.go:48 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
backend/internal/api/rest/internal/relay_routes.go:50 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
backend/internal/api/rest/internal/relay_routes.go:51 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
relay/internal/server/handler.go:60 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
relay/internal/server/handler.go:124 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
runner/internal/relay/local_server_pod.go:117 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
runner/internal/relay/local_server_pod.go:118 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium DKC016 App service does not wait for database health
deploy/dev/docker-compose.yml:94 · conf 0.86 
App service does not wait for database health
medium DKR003 Dockerfile base image uses the latest tag
deploy/dev/docker-compose.yml:48 · conf 0.94 
Compose service `minio` image uses the latest tag
medium DKR003 Dockerfile base image uses the latest tag
deploy/dev/docker-compose.yml:94 · conf 0.94 
Compose service `adminer` image uses the latest tag
medium DKR003 Dockerfile base image uses the latest tag
deploy/onpremise/docker-compose.yml:56 · conf 0.94 
Compose service `minio` image uses the latest tag
medium DKR003 Dockerfile base image uses the latest tag
deploy/selfhost/docker-compose.yml:52 · conf 0.94 
Compose service `minio` image uses the latest tag
medium DKR018 Database dump or local database file is included in Docker build context
.dockerignore · conf 0.86 
Database dump or local database file is included in Docker build context
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
clients/web/e2e-playwright/helpers/pod-cleanup.ts:63 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
clients/web/src/components/channel/MemberSelector.tsx:26 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web-admin/src/lib/api/adminAuditLogs.ts:2 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web-admin/src/lib/api/adminDashboard.ts:2 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web/src/app/mock-checkout/page.tsx:41 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web/src/app/mock-checkout/page.tsx:76 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web/src/app/sitemap.ts:90 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web/src/app/sitemap.ts:91 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web/src/components/pwa/push-notification-store.ts:68 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web/src/components/pwa/push-notification-store.ts:80 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web/src/components/pwa/push-notification-store.ts:95 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
clients/web/src/lib/viewModels/billing.ts:183 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
clients/desktop/src/renderer/shims/electron-shell.ts:6 · conf 1.00 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…
medium SEC045 eval()/exec() on stored or user-supplied data
agentfile/eval/evaluator.go:16 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
backend/cmd/backfill-identifiers/audit.go:13 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
backend/cmd/backfill-identifiers/users.go:87 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC046 Client-side open redirect — window.location = server-supplied URL
clients/desktop/src/renderer/pages/auth/login/OAuthButtons.tsx:50 · conf 1.00 
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…
medium SEC046 Client-side open redirect — window.location = server-supplied URL
clients/web/src/components/billing/CheckoutFlow.tsx:67 · conf 1.00 
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…
medium SEC091 Go: net/http server without timeouts
backend/cmd/server/server.go:26 · conf 1.00 
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).
medium SEC125 AI placeholder credential left in source (your-api-key-here style)
clients/desktop/src/renderer/pages/auth/onboarding/setup-runner/local/components/SetupSteps.tsx:124 · conf 1.00 
[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pullin…
medium SEC125 AI placeholder credential left in source (your-api-key-here style)
clients/web/src/app/(auth)/onboarding/setup-runner/local/components/SetupSteps.tsx:124 · conf 1.00 
[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pullin…
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
medium WEB012 Service worker is present without a web app manifest
manifest.json · conf 0.72 
Service worker is present without a web app manifest
medium WEB015 Public web app has no Content Security Policy
index.html · conf 0.70 
Public web app has no Content Security Policy
low AIC002 Source file name looks like an AI patch artifact
backend/internal/service/agentpod/pod_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
backend/internal/service/apikey/apikey_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
backend/internal/service/blockstore/block_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
backend/internal/service/blockstore/ref_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
backend/internal/service/sso/config_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
backend/internal/service/ticket/ticket_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
backend/internal/service/user/repository_provider_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/admin/sso/audit.go:2 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/admin/subscription/audit.go:2 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/admin/support_ticket/audit.go:2 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/admin/support_ticket/handlers_query.go:14 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/apikey/apikey_errors.go:9 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/binding/binding_query.go:90 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/binding/binding_scopes.go:11 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/extension/skill_registry.go:161 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/extension/skill_registry.go:164 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/extension/skill_registry.go:189 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/invitation/invitation_errors.go:12 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/loop/loop_actions.go:62 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/loop/loop_runs.go:26 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/loop/loop_runs.go:27 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/org/org.go:63 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/org/org.go:64 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/pod/mutations.go:60 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/pod/queries.go:58 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/runner/handlers_ops.go:69 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/support_ticket/support_ticket_attachments.go:130 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/ticket_relations/ticket_relations_convert.go:40 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/connect/ticket_relations/ticket_relations_mount.go:2 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/grpc/runner_adapter_mcp_channel_msg.go:208 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/rest/v1/auth_sso_saml.go:13 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/api/rest/v1/repositories_crud.go:22 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/domain/agent/message.go:38 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/domain/billing/invoice.go:10 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/domain/billing/order.go:10 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/domain/billing/plan.go:10 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/internal/domain/billing/subscription.go:10 · conf 0.86 
Duplicated implementation block across source files
low DKC006 Compose service does not declare a runtime user
deploy/dev/docker-compose.yml:15 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
deploy/dev/docker-compose.yml:68 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
deploy/dev/docker-compose.yml:94 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
deploy/dev/docker-compose.yml:258 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
deploy/dev/docker-compose.yml:275 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
deploy/onpremise/docker-compose.yml:19 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
deploy/onpremise/docker-compose.yml:207 · conf 0.56 
Compose service does not declare a runtime user
low DKC010 Compose service lacks no-new-privileges hardening
deploy/dev/docker-compose.yml:68 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
deploy/dev/docker-compose.yml:94 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
deploy/dev/docker-compose.yml:121 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
deploy/dev/docker-compose.yml:188 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
deploy/dev/docker-compose.yml:258 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
deploy/dev/docker-compose.yml:275 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
deploy/onpremise/docker-compose.yml:207 · conf 0.62 
Compose service lacks no-new-privileges hardening
low ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
backend/internal/api/connect/admin/skill_registry/handlers_mutations.go:87 · conf 1.00 
[ERR003] Ignored Error (Go): Ignoring error return values.
low ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
backend/internal/api/rest/v1/auth_sso.go:83 · conf 1.00 
[ERR003] Ignored Error (Go): Ignoring error return values.
low ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
backend/internal/api/rest/v1/loop_handler_actions.go:27 · conf 1.00 
[ERR003] Ignored Error (Go): Ignoring error return values.
low WEB001 Public web app has no robots.txt
robots.txt · conf 0.74 
Public web app has no robots.txt
low WEB002 Public web app has no sitemap
sitemap.xml · conf 0.72 
Public web app has no sitemap
low WEB008 Public docs site has no llms.txt
llms.txt · conf 0.64 
Public docs site has no llms.txt
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt
info DKR002 Dockerfile base image has no explicit tag
deploy/onpremise/docker-compose.yml:79 · conf 0.48 
Compose service `backend` image is selected through a build variable
info DKR002 Dockerfile base image has no explicit tag
deploy/onpremise/docker-compose.yml:183 · conf 0.48 
Compose service `web` image is selected through a build variable
info DKR002 Dockerfile base image has no explicit tag
deploy/onpremise/docker-compose.yml:207 · conf 0.48 
Compose service `web-admin` image is selected through a build variable
info DKR002 Dockerfile base image has no explicit tag
deploy/onpremise/docker-compose.yml:231 · conf 0.48 
Compose service `relay` image is selected through a build variable
info DKR002 Dockerfile base image has no explicit tag
deploy/selfhost/docker-compose.yml:75 · conf 0.48 
Compose service `backend` image is selected through a build variable
info DKR002 Dockerfile base image has no explicit tag
deploy/selfhost/docker-compose.yml:140 · conf 0.48 
Compose service `web` image is selected through a build variable
info DKR002 Dockerfile base image has no explicit tag
deploy/selfhost/docker-compose.yml:162 · conf 0.48 
Compose service `web-admin` image is selected through a build variable
info DKR002 Dockerfile base image has no explicit tag
deploy/selfhost/docker-compose.yml:182 · conf 0.48 
Compose service `relay` image is selected through a build variable
info ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
· conf 0.20 
[ERR003] Ignored Error (Go) (and 30 more): Same pattern found in 30 additional files. Review if needed.
info MINED003 Rust Unwrap In Prod CWE-755
· conf 0.20 
[MINED003] Rust Unwrap In Prod (and 40 more): Same pattern found in 40 additional files. Review if needed.
info MINED009 Floats For Money CWE-682
· conf 0.20 
[MINED009] Floats For Money (and 1 more): Same pattern found in 1 additional files. Review if needed.
info MINED012 Curl Pipe Bash CWE-494
· conf 0.20 
[MINED012] Curl Pipe Bash (and 3 more): Same pattern found in 3 additional files. Review if needed.
info MINED016 Go Error Ignored CWE-754
· conf 0.20 
[MINED016] Go Error Ignored (and 19 more): Same pattern found in 19 additional files. Review if needed.
info MINED033 Go Recover Without Log CWE-755
· conf 0.20 
[MINED033] Go Recover Without Log (and 4 more): Same pattern found in 4 additional files. Review if needed.
info MINED043 Http Not Https CWE-319
· conf 0.20 
[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.
info MINED043 Http Not Https CWE-319
backend/internal/infra/git/github_client.go:29 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
backend/internal/service/repository/service_create.go:146 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
clients/core/crates/auth/src/auth_api_error_tests.rs:247 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
· conf 0.20 
[MINED044] Js Console Log Prod (and 26 more): Same pattern found in 26 additional files. Review if needed.
info MINED044 Js Console Log Prod CWE-532
build_defs/web/next_bazel_wrapper.mjs:100 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
clients/desktop/src/renderer/main.tsx:22 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
clients/desktop/src/renderer/pages/auth/login/ServerSettingsModal.tsx:59 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED045 Ts Non Null Assertion CWE-476
· conf 0.20 
[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed.
info MINED045 Ts Non Null Assertion CWE-476
clients/desktop/src/renderer/pages/dashboard/repository-detail/components/capabilities/EditMcpEnvVarsDialog.tsx:39 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
clients/desktop/src/renderer/pages/dashboard/repository-detail/components/capabilities/MarketTab.tsx:115 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
clients/web/e2e-playwright/pages/modals/create-pod.modal.ts:61 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED052 Ts Any Typed CWE-704
clients/web-admin/src/app/(dashboard)/organizations/[id]/_components/use-subscription-actions.ts:23 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED054 Ts As Any CWE-704
clients/desktop/src/renderer/shims/electron-ipc.ts:3 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED054 Ts As Any CWE-704
clients/desktop/src/renderer/shims/electron-shell.ts:2 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED055 Npm Install No Lockfile CWE-1357
clients/web/src/app/docs/concepts/agentfile/_sections/DeclarationKeywords.tsx:154 · conf 1.00 
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.
info MINED056 React Key As Index CWE-682
· conf 0.20 
[MINED056] React Key As Index (and 30 more): Same pattern found in 30 additional files. Review if needed.
info MINED056 React Key As Index CWE-682
clients/desktop/src/renderer/pages/dashboard/repository-detail/components/capabilities/CustomTab.tsx:116 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
clients/desktop/src/renderer/pages/dashboard/repository-detail/components/capabilities/EditMcpEnvVarsDialog.tsx:118 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
clients/desktop/src/renderer/pages/support/SupportPage.tsx:100 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED058 React Dangerously Set Html CWE-79
· conf 0.20 
[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed.
info MINED058 React Dangerously Set Html CWE-79
clients/web/src/app/blog/page.tsx:45 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED058 React Dangerously Set Html CWE-79
clients/web/src/app/blog/[slug]/page.tsx:72 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED058 React Dangerously Set Html CWE-79
clients/web/src/app/docs/faq/page.tsx:149 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED059 Rust Expect In Prod CWE-755
clients/core/crates/local-runner/src/lib.rs:133 · conf 1.00 
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
info MINED059 Rust Expect In Prod CWE-755
clients/core/crates/local-runner/src/service.rs:103 · conf 1.00 
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
info MINED059 Rust Expect In Prod CWE-755
clients/core/crates/logging/src/sinks/file.rs:49 · conf 1.00 
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
info MINED060 Go Context No Cancel CWE-401
· conf 0.20 
[MINED060] Go Context No Cancel (and 52 more): Same pattern found in 52 additional files. Review if needed.
info MINED060 Go Context No Cancel CWE-401
backend/cmd/backfill-identifiers/main.go:54 · conf 1.00 
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
info MINED060 Go Context No Cancel CWE-401
backend/cmd/server/eventbus_loop.go:27 · conf 1.00 
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
info MINED060 Go Context No Cancel CWE-401
backend/cmd/server/eventbus_perpetual.go:32 · conf 1.00 
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
info MINED066 Rust Panic Macro CWE-755
· conf 0.20 
[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed.
info MINED066 Rust Panic Macro CWE-755
clients/core/crates/api-client/src/connect_stream_frames.rs:224 · conf 1.00 
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
info MINED066 Rust Panic Macro CWE-755
clients/core/crates/api-client/src/error.rs:155 · conf 1.00 
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
info MINED066 Rust Panic Macro CWE-755
clients/core/crates/auth/src/auth_api_error_tests.rs:171 · conf 1.00 
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
info MINED071 Go Panic Call CWE-755
· conf 0.20 
[MINED071] Go Panic Call (and 2 more): Same pattern found in 2 additional files. Review if needed.
info MINED071 Go Panic Call CWE-755
backend/cmd/server/main_startup.go:112 · conf 1.00 
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.
info MINED071 Go Panic Call CWE-755
backend/internal/api/rest/internal/relay_routes.go:56 · conf 1.00 
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.
info MINED071 Go Panic Call CWE-755
backend/internal/service/agent/config_builder.go:40 · conf 1.00 
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.
info SEC019 Raw Authorization Token in Example
clients/web/src/app/docs/api/authentication/page.tsx:48 · conf 0.10 
[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live token…
info SEC020 Secret Printed to Logs
backend/internal/service/tokenusage/service.go:103 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
info SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
· conf 0.20 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 103 more): Same pattern found in 103 additional files. Review if needed.
info SEC045 eval()/exec() on stored or user-supplied data
· conf 0.20 
[SEC045] eval()/exec() on stored or user-supplied data (and 15 more): Same pattern found in 15 additional files. Review if needed.
info SEC085 JS: child_process.exec with non-literal
· conf 0.20 
[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.
info SEC128 Async function without await — fire-and-forget Promise (AI mistake)
· conf 0.20 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/06c71da3-6aea-4bfe-bd59-59aeea878bff/.